Event 22: DNS Query
Quick Answer
Sysmon Event 22 captures DNS queries made by processes, recording the queried domain name, query result, and the process responsible. This event is essential for detecting command-and-control communications, DNS tunneling, phishing domain contacts, and malicious domain generation algorithms used by malware.
Technical Details
Event ID: 22
Sysmon- Network Activity
Event Description
Logs when a process executes a DNS query, whether the result is successful or fails, cached or not.
Analyst Notes & Scenarios
- Crucial Fields: QueryName, QueryStatus, QueryResults, Image.
- Look for queries to known malicious/suspicious domains (Threat Intel, DGAs).
- Identify high frequency of NXDOMAIN (QueryStatus=0x9003) responses, potentially indicating DGA activity.
- Monitor for DNS tunneling patterns (unusual subdomains, large query sizes - though size isn't logged by default).
- Filter known good/internal domains in Sysmon config.
Key Log Fields
UtcTime- UTC timestamp of DNS queryProcessGuid- Process GUID making the queryProcessId- Process IDImage- Process executable pathQueryName- DNS hostname being queriedQueryStatus- DNS query result status codeQueryResults- Resolved IP address(es)
MITRE ATT&CK® Mapping (4)
Adversaries may communicate using the Domain Name System (DNS) application layer protocol to avoid detection/network filtering by blending in with existing traffic. Commands to the remote system, and often the results of those commands, will be embedded within the protocol traffic between the client and server. The DNS protocol serves an administrative function in computer networking and thus may be very common in environments. DNS traffic may also be allowed even before network authentication is completed. DNS packets contain many fields and headers in which data can be concealed. Often known as DNS tunneling, adversaries may abuse DNS to communicate with systems under their control within a victim network while also mimicking normal, expected traffic.(Citation: PAN DNS Tunneling)(Citation: Medium DnsTunneling)
Adversaries may use Fast Flux DNS to hide a command and control channel behind an array of rapidly changing IP addresses linked to a single domain resolution. This technique uses a fully qualified domain name, with multiple IP addresses assigned to it which are swapped with high frequency, using a combination of round robin IP addressing and short Time-To-Live (TTL) for a DNS resource record.(Citation: MehtaFastFluxPt1)(Citation: MehtaFastFluxPt2)(Citation: Fast Flux - Welivesecurity) The simplest, "single-flux" method, involves registering and de-registering an addresses as part of the DNS A (address) record list for a single DNS name. These registrations have a five-minute average lifespan, resulting in a constant shuffle of IP address resolution.(Citation: Fast Flux - Welivesecurity) In contrast, the "double-flux" method registers and de-registers an address as part of the DNS Name Server record list for the DNS zone, providing additional resilience for the connection. With double-flux additional hosts can act as a proxy to the C2 host, further insulating the true source of the C2 channel.
Adversaries may make use of Domain Generation Algorithms (DGAs) to dynamically identify a destination domain for command and control traffic rather than relying on a list of static IP addresses or domains. This has the advantage of making it much harder for defenders to block, track, or take over the command and control channel, as there potentially could be thousands of domains that malware can check for instructions.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Unit 42 DGA Feb 2019) DGAs can take the form of apparently random or “gibberish” strings (ex: istgmxdejdnxuyla.ru) when they construct domain names by generating each letter. Alternatively, some DGAs employ whole words as the unit by concatenating words together instead of letters (ex: cityjulydish.net). Many DGAs are time-based, generating a different domain for each time period (hourly, daily, monthly, etc). Others incorporate a seed value as well to make predicting future domains more difficult for defenders.(Citation: Cybereason Dissecting DGAs)(Citation: Cisco Umbrella DGA)(Citation: Talos CCleanup 2017)(Citation: Akamai DGA Mitigation) Adversaries may use DGAs for the purpose of [Fallback Channels](https://attack.mitre.org/techniques/T1008). When contact is lost with the primary command and control server malware may employ a DGA as a means to reestablishing command and control.(Citation: Talos CCleanup 2017)(Citation: FireEye POSHSPY April 2017)(Citation: ESET Sednit 2017 Activity)
Adversaries may perform calculations on addresses returned in DNS results to determine which port and IP address to use for command and control, rather than relying on a predetermined port number or the actual returned IP address. A IP and/or port number calculation can be used to bypass egress filtering on a C2 channel.(Citation: Meyers Numbered Panda) One implementation of [DNS Calculation](https://attack.mitre.org/techniques/T1568/003) is to take the first three octets of an IP address in a DNS response and use those values to calculate the port for command and control traffic.(Citation: Meyers Numbered Panda)(Citation: Moran 2014)(Citation: Rapid7G20Espionage)
Event Comparison
Event 22 shows DNS queries, while Event 3 shows the resulting network connections. Together they provide complete network communication visibility from domain resolution through connection establishment.
What This Event Means
Sysmon Event 22 provides visibility into DNS queries performed by processes on the system, capturing the domain name being resolved, the query results, and critically, which process initiated the query. This process-level attribution for DNS queries is not available in standard Windows DNS client logs, making Event 22 uniquely valuable for threat detection. Attackers use DNS for command-and-control communications because DNS traffic is often allowed through firewalls with minimal inspection, making it an attractive channel for malicious communications. Event 22 enables detection of malware beaconing to C2 infrastructure through domain queries, identification of DNS tunneling where data is exfiltrated through DNS requests, and discovery of domain generation algorithm (DGA) usage where malware queries randomly generated domains to find its control server. Security analysts can detect C2 domains by correlating DNS queries with threat intelligence feeds of known malicious domains, identify DGA activity through entropy analysis of queried domain names and observing high query volumes of non-existent domains (NXDOMAIN responses), and spot DNS tunneling through queries to domains with unusual characteristics like very long subdomains or high query frequency to a single domain. The process information reveals which application is performing DNS queries, enabling detection of unusual patterns like Office applications or PDF readers querying domains, which often indicates exploitation or embedded malware. By combining Event 22 with network connection events (Event 3), analysts can trace the complete network activity lifecycle from initial DNS resolution through the subsequent TCP/UDP connections to resolved IP addresses, providing comprehensive visibility into network-based attacks.
Security Implications
- DNS queries for known malicious domains indicate active command-and-control communications
- High entropy domain names with random characters suggest domain generation algorithms used by malware
- Document viewers or Office apps performing DNS queries indicate exploitation or malicious content
- Numerous NXDOMAIN responses from a single process reveal DGA-based malware searching for C2 servers
- DNS queries with unusually long subdomains or high frequency may indicate DNS tunneling for data exfiltration
Detection Strategies
Integrate DNS query logs with threat intelligence feeds to automatically flag queries to known malicious domains, C2 infrastructure, and phishing sites. Implement entropy scoring on queried domain names to identify DGA activity characterized by random-looking domain strings. Monitor for processes that don't normally perform DNS queries suddenly resolving domains, especially document viewers and media players. Track the volume of DNS queries per process and alert on unusual spikes or high-frequency query patterns. Alert on queries returning NXDOMAIN responses at high rates, which indicates DGA malware cycling through generated domains. Correlate Event 22 with process creation (Event 1) and network connections (Event 3) to build complete attack timelines from initial execution through DNS resolution to network communication. Maintain allowlists of legitimate high-volume DNS query sources like browsers and cloud sync clients to reduce false positives. Detailed threat intelligence integration guides and sample SIEM queries will be provided in upcoming documentation releases.
Note: Comprehensive SIEM detection queries for Splunk SPL, Microsoft KQL, and Elastic Query DSL will be added in future updates.
Real-World Attack Examples
Qakbot malware generates distinctive DNS query patterns in Event 22 with algorithm-generated domains for C2 resilience
APT1 campaigns used custom DNS tunneling protocols visible in Event 22 with characteristic long subdomain queries for data exfiltration
Emotet infrastructure queries visible in Event 22 show patterns of accessing compromised WordPress sites for command-and-control